Solved

Not able to install antivirus, hijackthis, killbox or any other tool

Posted on 2008-10-17
24
1,358 Views
Last Modified: 2012-06-27
I have some type of spyware on my computer.  The first thing is that I cannot install an Antivirus program.  I cannot run hijackthis or killbox.  I click on it and it does nothing.  A couple of things I noticed.  There is a red circle with an X in my system tray that will display a balloon stating the computer needs to download an antivirus.  If you click on it or cancel it, it tries to install XPAntivirus2009.  I also have registry entries and folders called Search assist or srchasst and inside they have .acs files.  I try to delete but says the program is in use.  Tried to install the antivirus in safe mode but no luck.  I also have an exe called facegame.  Any suggestions on how to install the antivirus to kill all the others problems?  Thanks in advance!
0
Comment
Question by:djb1011
  • 11
  • 5
  • 3
  • +3
24 Comments
 
LVL 22

Accepted Solution

by:
orangutang earned 150 total points
Comment Utility
Can you send an Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) log? Or can you open Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
0
 
LVL 8

Assisted Solution

by:eXpeLLeD_4RM_heLL
eXpeLLeD_4RM_heLL earned 200 total points
Comment Utility
Have you tried renaming the antivirus program and installing it thereafter.

For XP antivirus2009 the best solution is malwarebyte antimalware, you can download it from http://www.malwarebytes.org/.

Also you can download UBCD4Win from www.ubcd4win.com, use the how to guide to create a bootable CD, boot from the CD and access the antispyware tools from the CD.
If you manage to get hijackthis to run please post a log back here.

Also see if you can run online scanners such as:
housecall.trendmicro.com/
www.kaspersky.com/virusscanner
0
 
LVL 3

Expert Comment

by:omic_admin
Comment Utility
UBCD4Win is always my favorite tool of choice in these kinds of cases-boot off the clean CD (with the fixes), not the infected HD!
0
 

Expert Comment

by:ITS_TLH1
Comment Utility
If those steps mentioned above do not work...You can try using the Hiren's BootCD. This is one of my favorite tools. It is a bootable CD loaded with tons of utilities to help troubleshoot and repair machines. The image is free to download and you can find more information at http://www.hiren.info/pages/bootcd.  You want to pay attention to the following tools: McAfee AV, Process Explorer, Pocket KillBox, HijackThis, RootkitRevealer, SilentRunners, Autoruns, SpyBot, Spyware Blaster, Ad-Aware and many more... You can also try creating your own BartPE CD with the specific tools of your choice loaded.

Hope that helps.
0
 

Author Comment

by:djb1011
Comment Utility
Do you create the UBCD4win bootable cd on another computer?
0
 

Author Comment

by:djb1011
Comment Utility
or should you create it on the computer with the virus?
0
 
LVL 32

Assisted Solution

by:willcomp
willcomp earned 150 total points
Comment Utility
Create it on another PC.

ComboFix will remove the infection. Follow instructions at link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

It may be necessary to rename ComboFix. If so, please rename it during download and not afterward.

@ ITS TLH1 ---> Hiren's Boot CD contains pirated software and recommending it on EE is prohibited.
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
Comment Utility
Also if Combofix manages to run please post the combofix log file back here using the attach file button
0
 

Author Comment

by:djb1011
Comment Utility
here is the hijack this log file.  I was able to run that, but that's it.
hijackthis101908.txt
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
Comment Utility
Fix the following using HijackThis:
C:\WINDOWS\system32\wmianstd.exe
O2 - BHO: (no name) - {7E51A52E-9A0F-495F-88AB-1310E4E1FF62} - C:\WINDOWS\system32\efcDTJbc.dll
O2 - BHO: (no name) - {95F0FD92-3505-4437-9DF7-76EABE49FCC8} - (no file)
O2 - BHO: (no name) - {9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\hgGwWMgf.dll
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat

I also see that you have managed to run it by changing the file name.

Try to run ComboFix in safe mode but also change the name during download before you run. Disable your antivirus program before running Combofix.

To startup in safe mode, restart your PC and press F8 before the windows splash screen appears. A menu should appear with Safe Mode right At the top of the menu.Press Enter and choose your OS and let windows start. Thereafter try and run ComboFix.
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
Comment Utility
Also have you managed to run the antispyware tools located on UBCD4Win.
0
 

Author Comment

by:djb1011
Comment Utility
I believe that I created the CD from UBCD4Win and burned the Iso file toa CD
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:djb1011
Comment Utility
Per my last post.  I did run and create the UBCD4win however when I put the burned cd in the drive and start up, it gives me an option that states:  boot from ...... but it goes by too fast.  How do I know if it's booting using the cd or booting from the operating system on the hard drive?
0
 
LVL 22

Expert Comment

by:orangutang
Comment Utility
Removing those programs in HijackThis probably won't help much since some of them will automatically be readded. Were you able to use ComboFix, Anti-Malware, Kaspersky, or SUPERAntiSpyware?
0
 

Author Comment

by:djb1011
Comment Utility
I just downloaded combofix and getting ready to run it.   Could the malware be the reason that I can't install antivirus from Norton?
0
 

Author Comment

by:djb1011
Comment Utility
Combo fix has just completed and here is the log.  
combofix-log.txt
0
 

Author Comment

by:djb1011
Comment Utility
I have also run autoruns, the file is attached.  I saved it with the arn extension but it wouldn't accept it to upload it so I renamed it with a txt extension.  I was able to run Kaspersky but it couldn't fix numerous items.
AutoRuns.arn.txt
0
 
LVL 32

Expert Comment

by:willcomp
Comment Utility
It's normal for AV to encounter non-deletable or non-fixable files after malware removal. Those files re in System Restore folder and/or quarantine folders that are protected and not accessible.

For now, don't worry about AV software. Install and run Malware Bytes Antimalware to finish adware/spyware removal.
0
 

Author Comment

by:djb1011
Comment Utility
I installed and ran Malware antimalware and it found several infections.  I have attached the log.

mbam-log-2008-10-19--22-21-26-.txt
0
 
LVL 32

Expert Comment

by:willcomp
Comment Utility
Looks like you are good to go. Before doing anything else, uninstall ComboFix --> type combofix /u in a Run box to uninstall.
0
 

Author Comment

by:djb1011
Comment Utility
Thank you for the help in removing the malware.  I am still not able to install my Norton Antivirus end protection.  It starts the download and then it will say that the wizard got interrupted and won't completely install.  Any suggestions?
0
 

Author Comment

by:djb1011
Comment Utility
Please disregard my last comment I was able to install the antivirus software.
0
 
LVL 22

Expert Comment

by:orangutang
Comment Utility
Also, send us one more HijackThis log just in case.
0
 
LVL 8

Assisted Solution

by:eXpeLLeD_4RM_heLL
eXpeLLeD_4RM_heLL earned 200 total points
Comment Utility
Before you uninstall combofix you must
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\brastk9999.exe
C:\Documents and Settings\Stan Sanko\delself.bat
C:\Documents and Settings\Stan Sanko\xrt_jens.exe
C:\WINDOWS\system32\g50.exe
C:\WINDOWS\system32\efcBrSjh.dll
C:\WINDOWS\system32\prun.exe

Folder::
C:\Documents and Settings\All Users\Application Data\xcbepyfg
C:\WINDOWS\U3RhbiBTYW5rbw
C:\WINDOWS\system32\WS
C:\WINDOWS\system32\pi
C:\WINDOWS\system32\nys3
C:\WINDOWS\system32\mco2
C:\WINDOWS\system32\EV19

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Once this is complete you can uninstall combofix as mentioned previously.
And one HJT log will do as well.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now